clamav
-
hey folks, i know that i'm gonna get a bunch of responses saying that clamav is useless especially since encryption yadda yadda...
at my place of employment, we got ransomed.. we have fortigates but as far as i'm concerned they've never been set up effectively, but that's not my problem and i'm not gonna get into that..
so to bring our little company back to a minimally functioning state, i brought one of my pfsense boxes in and connected it to a cable modem (wish my boss would allow us to connect it to fiber, but again, not gonna get into that)..
needless to say, it offers far better protection than the fortigates..
we DO have some situations where unencrypted traffic is being moved, so it is somewhat useful. within the first 30 minutes of getting my pfsense box up and people using it, it alerted me to 30~ viruses, and now it's up to 50+..
here's my question that i'm looking for help on. the definition and db files that it uses are old, i think the latest is april of this year.
what are the settings to use to update to the latest definitions since it doesn't update and the clamav site really doesn't give any direction with pfsense any longer..
Any help is greatly appreciated.
-
nothing? no one can offer anything?
-
@jc1976 I utilize clam AV. Leading to, I use certificates and use SSL interception with Squid proxy. It works well.
I utilize a splice list for items that need to not use SSL intercept to make this work.
It took some time to configure but it was worth it. With certificates you can see clam AV can spot https based viruses.
You might want to utilize the package named Snort also and use the emerging threats rulesets.
-
i would love to get to where you are, however i'm still somewhat of a novice and moreso lazy about getting a proxy set up.. but here at where i work, we DO have unencrypted traffic and that's probably the source off how we got ransomed.. but that's on my boss, so..
anywho, can you tell me about your versioning and how you got there? my current "squid antivirus status" shows the following:
Squid Version 5.8
Antivirus Scanner ClamAV 1.1.0,1 C-ICAP 0.5.10_1,2 + SquidClamav 7.2
Antivirus Bases
Database Date Version Builder
daily.cvd 2023.04.12 26873 raynman
bytecode.cvd 2023.02.22 334 anvilleg
main.cvd 2021.09.16 62 sigmgrseems that no matter what i do, i can't get the versions to update to the latest signatures. As of the other day, it was up to finding some ~70 viruses. that's all gone and not showing now because i was messing with it this morning and ran a reinstall of it, so those got wiped out. but we've got some real bozo's here at work and yes, i know it's not scanning encrypted traffic in it's current state, but like i said, we have a LOT of unecrypted uploads/downloads going on at the moment while we try to rebuild ourselves.
-
yeah, how are you on squidclamav 7.2?
did you run a separate update for clam? i installed it all through the pfsense package manager. i figure it's somewhat outdated because not many people seem to care to use it but i'd like to keep it running. just sure how to go about updating it to the latest version like you have.
thanks for you insight!
-
@jc1976 I am running the version that comes down from package manager. I know the gui has a bug that shows 2021 for main inside of Pfsense. They have a Redmine ticket open for that.
https://redmine.pfsense.org/issues/14108
If you are also seeing this please put add a screen shot to the redmine
I am running ClamAV 7.2
I am using certificates for everything on this network.
For items that are unethical to intercept I splice the connections with a splice file like banks etc.
(Custom options)
(Splice List File) -
@jc1976 I personally do not know how I am on 7.2 I just use the standard packages.
I have used pkg update and pkg upgrade in the shell but I do not think that would cause it.
